JUST WATCHED

Hackers watch child over camera monitor

MUST WATCH

Story highlights

Houston father says web camera turned to face parents when they arrived

The girl, who is hearing-impaired, never woke up

Experts say to make sure monitors are password-protected

An unknown hacker apparently gained access to a 2-year-old girl's baby monitor, calling her by name and harassing her, and her parents, with insults and profanity.

A couple in suburban Houston, Texas, told CNN affiliate KTRK that, over the weekend, they heard a strange voice in the bedroom shared by their two toddlers. When they got there, Marc Gilbert said they realized the voice was coming from the Web camera they use to keep tabs on the children.

What they heard next was ugly.

"He said, 'Wake up Allyson, you little slut,' " Gilbert said. He said the hacker, who had a British or European accent, may have read her name on a wall in the bedroom.

When he and his wife Lauren arrived, Gilbert said, the camera swiveled to face them. The hacker proceeded to call him a "stupid moron" and his wife a bitch, Gilbert said, before he unplugged the camera.

JUST WATCHED

See how hackers can control your house

MUST WATCH

The only positive about the situation, he said, is that Allyson never woke up. She was born deaf and has cochlear implants to help her hear, which she was not wearing while sleeping.

"I felt like somebody broke into your house," Gilbert said. "As a father, I'm supposed to protect her against people like this. So it's a little embarrassing to say the least, but it's not going to happen again."

Baby monitors, particularly those with video capabilities, have been shown in the past to be vulnerable. Video monitors can broadcast to TVs and hand-held receivers, or over Wi-Fi to computers, smartphones and tablets.

"Those who can't figure this out should ask for help from somebody with security expertise -- somebody they trust with the safety of extremely precious things," Vaas said.

In comments on the KTRK article about the hack, Marc Gilbert said he did take basic security precautions: "The router was password protected and the firewall was enabled. The IP camera was also password protected," he said.

"Of course, devices may well be protected by passwords, but default passwords that haven't been changed are like having no password at all, as other commenters pointed out," wrote Vaas on the Sophos Security blog.

Multiple security experts have identified the camera model shown in the Houston news report as a Foscam FI9821P. A FAQ page on the manufacturer's site lists the default user name and password -- both "admin" -- for the camera, as well as the default port used to connect it to the Web.

Altering those default settings "with a non-trivial password would make the device far more difficult to access, and probably too much trouble to bother with," wrote technology and security analyst Larry Seltzer for tech blog ZDNet. "If you want to go even further and make it really hard for attackers, you can change the default port."

Seltzer said that anyone on the Internet could build a scanner that would find cameras still hooked up to their default port. They could then check those cameras to see if they still open using the default password.

"This is almost certainly what happened," he wrote.

Earlier this year, researchers at security firm Qualys used the Foscam in a demonstration of how Web-enabled cameras can be exploited.

Foscam did not immediately respond Wednesday to a message seeking comment for this story.